Secure socket layer (SSL)
Features of SSL:
It is a layer between the application layer and transport layer in the TCP/IP protocol stag.
It was developed by Netscape to protect web transaction. Netscape developed SSL until 3.0 version but in the year 1999 IETF adopted and named as TLS (SSL3.1).
TLS is not compatible because TLS uses Diffie Hellman and data security standard and SSL uses RSA.
SSL or TLS is designed to do the following :
Authenticate the server to the client.
Authenticate client to the server (optional).
Select join cryptographic algorithms generate shared secret keys.
Built a protected connection to secure TCP/UDP connections.
Phases of SSL:
Session establishment: It is used when negotiation of parameters and authenticating of VPN peer.
Data transfer: user data is exchanged securely between encapsulated end points or VPN peers.
These 2 phases takes place using the protocol called SSL/TLS protocol. There are 3 sub phases of session establishments:
Hello messages are exchanged to negotiate parameters including authentication and encryption algorithm.
One way or two way authentication between client and server where a pre master key is sent by the client using public key of server to start protecting the session.
The master key is calculated and the cipher suite is authenticated.
SSL Handshake:+
Client hello and server hello contains major & minor versions, length of the header, cipher suites, compression scheme, session id.
Server will always send a highest of all and restart the existing session if client has a session id in its field otherwise if it is null server generate a session id.
Client generates a pre master key which also includes protocol version to prevent rollback attack and to generate master key.
Depending upon the cipher suite negotiation in early messages the pre master secret key can vary in length.
Pre master is typically composed of client SSL/TLS version number, string of random bytes, and is sent to the server encrypted by server’s public key.
The server then decrypts the Premaster string using its private key matching the public key from its certificate.
Both client and server use the pre master along with the random numbers to generate a master key (asymmetric key).
.html.resources/1BDD7E87-9255-4E6D-A512-A27E58579652.png)
This master key is used for message encryption and integrity checking.
The client sends a CCS (change cipher spec) message to the server has assigned that anything send from now onwards will be encrypted using the keys and protocols as established in the earlier message followed by a finish message and vice versa.
Datagram Transport Layer Security (DTLS):
- It uses UDP for transport layer protocol, for delay sensitive protocol it adds 2 new fields the first field is called:
- Sequence number: sequence number is included for each packet sent between client and server
- EPOCH: This field is used to differentiate between the conversations by using the same sequence number.
SSL/TLS record header:
CONTENT TYPE | |
VERSION |
LENGTH |
MAJOR |
MINOR | |
| ENCRYPTED PROTOCOL MESSAGE |
MAC |
PADDING (variable) |
--------------------------------------------4 Bytes------------------------------------------------
- Context: handshake:22, CCS:20 Application:23 Alert:21
- Version: SSL: 3.0 & 3.1, TLS: 1.0.
- Length: length of this record.
- Encapsulated protocol message: carries application data sent between client and server during a conversation.
After authentication, and hashing have been negotiated this field will be encrypted.
- MAC: mac calculated for the application data held is encapsulated protocol message.
- Padding: used alongside MAC protocols that operate as block cipher to pad the message length to a even size block.
SSL modes:
- Clientless mode: when a ssl vpn server configuration is in clientless mode any web base traffic can be protected. For example: http, https, ftp, cifs.
- Thin client or port forwarding mode: when cisco developed thin client not only the web base but TCP traffic can also be protected
- Thick client or tunnel mode: a software package is installed in the server for example SVC/any connect. It pushes the package file into PC and then it will get download the software and then it will act as an EZVPN which can also deals with IP base traffic protection.
Cisco Secure Desktop (CSD)
- Pre assessment
- Session encryption
- When we terminate it will do POST session clean up, it will clean up everything.
Configuration
There are 3 components in SSL:
- Gateway: it defines basic network and cryptographic settings of the SSL VPN server used by the gateway.
- Context: it defines common building blocks used in user policies and the authentication methods to authenticate remote user.
- Policy groups: it defines sets of configuration and aaa settings that are applied to users.
Steps to configure in SSL for Router:
- Self-signed certificate/identity certificate
- Gateway: (IP add, port, http redirect, encryption algorithm, hostname, trust point).
- Context: (AAA authentication method, AAA authentication domain, URL-list, port forward list, NBNS-net bios name server, port customization, gateway CSD, default policy group).
- Policy group and make one policy group as default policy group as per context.( functions, SVC configuration, timeout, URL-list, port forward list, NBNS list)